When webbrowsers parse html they remove special chars, this behavior may be used by an malicious user to fool script/html-filters in webapplications.

Detail:

badWebMasters showed in their advisory #011 how to pass the "Snitz Forums"-scriptfilter with the Tab-Char (09). After "Opera" and "Mozilla"-users noticed that the provided exploit didn't work on their system I decided to start some new testings, with an amazing result!

To detect what kind of special chars can be used in html- parameters I set up the following asp-page: